Imagine that you are tasks with listing all the cisco.com subdomains listed on their index page and then find their corresponding IP addresses. Doing this manually would be frustrating and take a long time however with some simple bash commands we can turn this in to a simple task.

Lets start with downloading the index page for cisco.com with the wget command.
#wget cicso.com

Lets open up a text file and write a bash script that will
- read all of the domain names from the cisco.txt file
- and then run the host command against each one of them, providing a nice clean output to the console.

using the nano text editor to create a file called cisco.sh:
#nano cisco.sh

The output of this script produces a list of IPs. No domain names can be seen in the output.

------------------------------------------------
The fact is, that the whole exercise could have been achieved with a single line of bash, similar to the following:
#for url in $(grep -o '[A-Za-z0-9_\.-]*\.*cisco.com' index.html |sort -u); do host $url|grep "has address"|cut -d" " -f4;done
------------------------------------------------

We are given an apache HTTP server log that contains evidence of an attack. Our task is to use simple Bash commands to inspect the file and discover various pieces of information, such as who the attackers were, and what exactly happened on the server.

We firs use the head and wc commands to take a quick peak at the log file to understand its structure.

We see less than ten IP addresses. Next we use the uniq and sort commands to further refine our output and sort the data by the number of times each IP address accessed the server.
#cat access.log |cut -d" " -f1 |sort |uniq -c |cort -urn

Focusing in on the one IP with the highest access count. To display and count the resources that were being requested by the IP address, the following command sequence can be used:
#cat access.log |grep '208.68.234.99' |cut -d "\"" -f2 |uniq -c

From the output above, it looks like this IP was accessing only the /admin directory

The output from the above command looks like this IP has been involved in a http brute force attempt on the server.. Furthermore it looks like after around 1070 attempts, the brute force attempt succeeded, as indicated by the 200 web response from the server recorded in the logs.